linguist icon indicating copy to clipboard operation
linguist copied to clipboard
verified publisher icon github-linguist

Dependabot configuration to update actions in workflows

Open ScottBrenner opened this issue 1 year ago • 6 comments

Description

Noticed a few actions used in the workflows here are outdated, proposing a Dependabot configuration to update - reference https://docs.github.com/en/actions/security-guides/using-githubs-security-features-to-secure-your-use-of-github-actions#keeping-the-actions-in-your-workflows-secure-and-up-to-date

Suggest enabling https://docs.github.com/en/code-security/dependabot/working-with-dependabot/about-dependabot-on-github-actions-runners#enabling-or-disabling-for-your-repository as well.

ScottBrenner avatar Jun 08 '24 03:06 ScottBrenner

I tried this in the past and it broke things and I didn't have time to investigate further (revert PR). It was over two years ago so maybe things are better now. I won't be merging this until I have the time to deal with the fallout if this breaks things as in the past.

How confident are you that the latest actions versions won't break anything? Have you tested it?

lildude avatar Jun 08 '24 06:06 lildude

Thanks for the context - do you recall what broke? Seems checks did not run on the actions/checkout bump in https://github.com/github-linguist/linguist/pull/5911/checks, although the Actions history begins about a year after that https://github.com/github-linguist/linguist/actions?page=32 so it may be lost to time

In any case, I did bump actions/checkout v4 on my fork here and all checks passed without issue https://github.com/ScottBrenner/linguist/pull/1/checks

The other action, ruby/setup-ruby, appears to keep their "v1" tag updated https://github.com/ruby/setup-ruby/tree/v1 and would not (yet) be updated by the proposed changes here

ScottBrenner avatar Jun 09 '24 00:06 ScottBrenner

do you recall what broke?

I don't specifically, but from my comment in https://github.com/github-linguist/linguist/pull/5912 checkout depth was at least one problem. We need more than master for our tests as some need the commits in test/attributes.

This problem wasn't caught by the tests in the PR itself for some reason I can't recall 👴

lildude avatar Jun 13 '24 07:06 lildude

The commits in test/attributes still seem to be fetched when the version of actions/checkout is updated - https://github.com/ScottBrenner/linguist/actions/runs/9432580092/job/25982529071?pr=1#step:4:18 - via https://github.com/github-linguist/linguist/blob/master/.github/workflows/ci.yml#L32?

ScottBrenner avatar Jun 14 '24 00:06 ScottBrenner

That looks to be left over from when I was tatting with this last time, so maybe I've already fixed that issue 😁

I note your test PR only updates the checkout action. Do things still pass if you update all actions to their latest versions? (I've not looked closely at what else is used and could be updated).

lildude avatar Jun 14 '24 05:06 lildude

Believe actions/checkout is the only action that would be updated by this - the only other action ruby/setup-ruby uses v1 which they seem to keep updated under https://github.com/ruby/setup-ruby/tree/v1

ScottBrenner avatar Jun 14 '24 22:06 ScottBrenner

There's no need to close this.

lildude avatar Jul 09 '24 07:07 lildude